The User Administration Procedure has been designed to provide a unified guideline for creating, modifying or deleting user accounts from Company business systems. It provides guidelines to be followed for creating a user account, modifying access rights for a user account, reviewing active user accounts defined for each system and removing unnecessary user accounts.
Specific user administration procedures, detailing all the steps to be performed for user administration, must be developed by the information system custodian for each system and must be approved by the information system owner.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3. REQUIREMENTS FOR USER ADMINISTRATION
3.1 CREATING USER ACCOUNTS
3.2 MODIFYING ACCESS RIGHTS
3.3 REMOVING ACCESS RIGHTS
3.4 REVIEW OF USER ACCESS RIGHTS
3.5 PRIVILEGE MANAGEMENT
4.1 DEPARTMENT MANAGER
4.2 TECHNOLOGY SECURITY TEAM
4.3 SYSTEM OWNER
6. FINAL CONSIDERATIONS
6.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
6.2 DOCUMENT REVISION
The techniques of dual control and segregation of duties have to be implemented to enhance the control over activities wherever the risk and impact of an IT Security incident would likely result in financial or other material damage to the organization.
The objective of this procedure is to ensure the security of Company’s assets. Effective security controls in relation to access the data are an essential component of the effective risk management of Company's data resource.